On Mon, 2006-01-30 at 22:19 +0000, Martin Ebourne wrote: > Further to this, I note that I don't even need the > inetd_child_disable_trans boolean set now. By default nrpe running under > xinetd is allowed to sudo. Should this not be controlled? > > What protection does running xinetd under selinux give? IIRC, the default targeted policy in Fedora leaves inetd children who do not have a specific domain defined for them unconfined, as otherwise all external (outside of Fedora) inetd-based services that lack policy would immediately break. The strict policy takes the more conservative approach for security, at the risk of greater application breakage. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
